JP5375884B2 - Authentication apparatus, authentication method, and computer program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an authentication device which, when permitting the use of a device to a user whose authentication process cannot be performed, prevents permitting the user to use the device as a user whose authentication process can be normally performed. <P>SOLUTION: An authentication device acquires user information of a user who uses a multifunction machine, determines whether or not the user information is included in a cache data table of the authentication device, and, when determining that the user information is not included, performs an authentication process of an approved user for permitting the use of the device to the user. After the authentication process of the approved user is normally finished, the authentication device accepts an input of a user name of the user who uses the device and, when determining that the user name is not included in the cache data table, permits the use of the device as the user having the user name of which input is accepted. <P>COPYRIGHT: (C)2013,JPO&amp;INPIT

Description

  The present invention relates to a user authentication technique when a user uses a device.

  In recent years, with the heightened awareness of security in offices, security has also been required for multifunction peripherals that are devices for inputting / outputting information.

  Therefore, authentication information in which the card information of the IC card owned by the user is associated with the user specifying information is stored in the authentication server, and the card information of the IC card owned by the user is read when using the multifunction device. For example, the MFP is used only after the authentication process using the card information is normally completed.

  However, if the authentication process cannot be performed due to a communication error or the like being unable to communicate with the authentication server, the multifunction device cannot be used and the operation is stopped. Therefore, in Patent Document 1, a user name and a password are held in the multifunction machine as cache data, and even when communication with the authentication server cannot be performed, the cache data held in the multifunction machine can be used to log in to the multifunction machine. The system is described.

JP 2009-65288 A

  However, the system disclosed in Patent Document 1 authenticates and logs in to a multifunction device for users whose cache data has expired or whose cache data has been deleted due to exceeding the maximum number of caches. Can not do it.

  In order to deal with such a problem, for example, user information of a user who uses the multifunction device is acquired, and it is determined whether or not the user information is included in the cache data table of the multifunction device. If it is determined, a selection of a user who approves the use of the multi-function peripheral by a user using the multi-function peripheral is received from the users included in the cache data table, and the user information of the selected approval user is stored in the cache of the multi-function peripheral. If it exists in the data table, it may be possible to allow the user to use the MFP.

  However, when the MFP can be used by the method described above, an IC that can normally authenticate a user who owns an IC card whose cache data has been registered in the cache data table and could not be authenticated. If you allow logging in as a user who owns the card, that is, a user whose cache data is stored in the cache data table, it will impersonate a user who can authenticate successfully, and output the print data associated with that user. May be illegally performed, which is undesirable in terms of security.

  Therefore, the present invention has an object to prevent a user who has an IC card that could not be authenticated from using the device as a user who can be authenticated when the device such as a multifunction device can be used. To do.

An image forming apparatus that permits use by a user who has been authenticated by an authentication process, wherein the first acquisition unit acquires card identification information used for user authentication, and is acquired by the first acquisition unit with respect to an authentication server. Authentication request means for making a user authentication request corresponding to the card identification information , user identification information of a user authenticated by an authentication process performed by the authentication server in response to the authentication request, and the card identification information Storage means for storing information in the storage device as cache information, and cache information including the card identification information acquired by the first acquisition means when the result of authentication by the authentication server cannot be obtained in the storage device a first determination means for determining whether the stored, by the first determination unit, card identification acquired by the first acquisition means After the cache information include broadcast is determined not to be stored in the storage device, a second acquiring means for acquiring user identification information input in accordance with an operation of the user, acquired by the second acquisition unit Second determination means for determining whether cache information including user identification information is stored in the storage device, and user identification information acquired by the second acquisition means by the second determination means is included. If it is determined that the cache information is not stored in the storage device, the card identification acquired by the first acquisition unit to enable the user corresponding to the card identification information to use the image forming apparatus with additional means for additionally registering the cache information in the storage device including the user identification information acquired by the information and the second acquisition means, said additional means, When it is determined that the cache information including the user identification information acquired by the second acquisition unit is stored in the storage device, the card identification information and the second acquisition acquired by the first acquisition unit The cache information including the user identification information acquired by the means is not additionally registered in the storage device .

According to another aspect of the present invention, there is provided a control method for an image forming apparatus that permits use by a user who has been authenticated by an authentication process, wherein the image forming apparatus acquires card identification information used for user authentication; Authenticated by an authentication requesting step for requesting authentication of a user corresponding to the card identification information acquired by the first acquisition means to the authentication server, and an authentication process performed by the authentication server in response to the authentication request. Storing the information including the user identification information of the user and the card identification information in the storage device as cache information, and if the result of authentication by the authentication server cannot be obtained, a first determination step of determining whether cache information is stored in the storage device that contains the acquired card identification information, said first determination step More, after the cache information included the acquired card identification information in the first acquisition step is determined not to be stored in the storage device, a second obtaining user identification information input in accordance with an operation of the user an acquisition step, and the second second determining whether the user identification information acquired by the acquisition step is cached information contained is stored in the storage device of the determination step, by the second determination step, the first If the cache information including user identification information acquired by the second acquisition step is determined not to be stored in the storage device, to allow the use of the image forming apparatus by a user corresponding to the card identification information order, the storage device caches information including user identification information acquired in the first card identification information obtained by the obtaining step and the second acquisition step Characterized by performing an additional step of additionally registering the additional step, if the cache information included user identification information acquired by said second acquisition step is determined to be stored in the storage device The cache information including the card identification information acquired in the first acquisition step and the user identification information acquired in the second acquisition step is not additionally registered in the storage device .

According to another aspect of the present invention, there is provided a computer program executable in an image forming apparatus that permits use by a user who has been authenticated by an authentication process, wherein the image forming apparatus acquires card identification information used for user authentication. An authentication requesting unit for requesting authentication of a user corresponding to the card identification information acquired by the first acquiring unit, and an authentication process performed by the authentication server in response to the authentication request. Storage means for storing information including user identification information of the user authenticated by the card identification information and the card identification information in a storage device as cache information, and when the result of authentication by the authentication server cannot be obtained, cache information including acquired card identification information acquisition means first determines whether it is stored in the storage device A constant section, by the first judging means, after the cache information included the acquired card identification information by the first acquisition means is determined not to be stored in the storage device, is input in accordance with an operation of the user a second determination means for determining whether cache information is stored in the storage device that contains the user identification information and the second acquiring means for acquiring user identification information, acquired by the second acquisition unit that, by the second determination means, when the cache information including user identification information acquired by the second acquisition unit is determined not to be stored in the storage device, according to the user corresponding to the card identification information The card identification information acquired by the first acquisition unit and the user identification information acquired by the second acquisition unit to enable the use of the image forming apparatus. Characterized in that to function as addition means for additionally registering the cache information in the storage device containing the said additional means, said cache information including user identification information acquired by the second acquisition means is stored in the storage device If it is determined that the cache information including the card identification information acquired by the first acquisition unit and the user identification information acquired by the second acquisition unit is functioned as a unit not to be additionally registered in the storage device. And

  According to the present invention, it is possible to prevent a user who has an IC card that could not be authenticated from using the device as a user who can be authenticated when the device such as a multifunction device can be used. Become.

It is a figure which shows the structure of the system in embodiment of this invention. It is a figure which shows the hardware constitutions of client PC100 and the authentication server 200 of embodiment of this invention. It is a figure which shows the hardware constitutions of the multi-function apparatus 300 of embodiment of this invention. 3 is a functional block diagram of a client PC 100, an authentication server 200, and a multifunction peripheral 300 that constitute an embodiment of the present invention. FIG. It is a figure which shows the flow of the user authentication process in embodiment of this invention. It is a figure which shows the flow of the update process of the cache data table (FIG. 11) in embodiment of this invention. 6 is a diagram illustrating a processing flow when communication between the authentication server 200 and the multifunction peripheral 300 results in an error in the embodiment of the present invention. FIG. It is a figure which shows the flow of the process which approves the login of the user who is not registered into cache data in embodiment of this invention. It is a figure which shows the flow of the process which produces the backup file in embodiment of this invention. It is a figure which shows the authentication table in embodiment of this invention. It is a figure which shows the cache data table in embodiment of this invention. It is a figure which shows the backup file in embodiment of this invention. It is a figure which shows the cache data management setting file in embodiment of this invention. It is a figure which shows the screen which prompts a user for IC card authentication in embodiment of this invention. It is a figure which shows the approval user list screen in embodiment of this invention. It is a figure which shows the screen which prompts IC card authentication with respect to an authorized user in embodiment of this invention. It is a figure which shows the screen which receives the input of the user name of the user by whom login was approved by the approval user in embodiment of this invention.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

  FIG. 1 is a system configuration diagram showing an example of the configuration of a system using a multifunction machine 300 and an authentication server 200 of the present invention.

  As shown in FIG. 1, the system according to the present embodiment includes one or a plurality of client PCs 100, a plurality of multifunction peripherals (image forming apparatuses) 300, and an authentication server 200 connected via a local area network (LAN) 400, respectively. It is configured to send and receive information.

  The authentication server 200 stores an authentication table (FIG. 10), and an authentication process using the authentication table in response to an authentication request made by a user holding an IC card over the card reader 319 of the multifunction device 300 I do.

  Hereinafter, the hardware configuration of the information processing apparatus applicable to the client PC 100 and the authentication server 200 illustrated in FIG. 1 will be described with reference to FIG.

  FIG. 2 is a block diagram illustrating a hardware configuration of an information processing apparatus applicable to the client PC 100 and the authentication server 200 illustrated in FIG.

  In FIG. 2, reference numeral 201 denotes a CPU that comprehensively controls each device and controller connected to the system bus 204. Further, the ROM 202 or the external memory 211 is necessary to realize a BIOS (Basic Input / Output System) or an operating system program (hereinafter referred to as an OS), which is a control program of the CPU 201, or a function executed by each server or each PC. Various programs to be described later are stored.

  A RAM 203 functions as a main memory, work area, and the like for the CPU 201. The CPU 201 implements various operations by loading a program or the like necessary for execution of processing from the ROM 202 or the external memory 211 into the RAM 203 and executing the loaded program.

  An input controller 205 controls input from a keyboard (KB) 209 or a pointing device such as a mouse (not shown). A video controller 206 controls display on a display device such as a CRT display (CRT) 210. In FIG. 2, although described as CRT 210, the display device is not limited to the CRT, but may be another display device such as a liquid crystal display. These are used by the administrator as needed.

  A memory controller 207 is connected to the hard disk (HD), flexible disk (FD), or PCMCIA card slot for storing a boot program, various applications, font data, user files, editing files, various data, etc. via an adapter. The access to the external memory 211 such as a compact flash (registered trademark) memory is controlled.

  A communication I / F controller 208 connects and communicates with an external device via a network (for example, the LAN 400 shown in FIG. 1), and executes communication control processing in the network. For example, communication using TCP / IP is possible.

  Note that the CPU 201 enables display on the CRT 210 by executing outline font rasterization processing on a display information area in the RAM 203, for example. In addition, the CPU 201 enables a user instruction with a mouse cursor (not shown) on the CRT 210.

  Various programs to be described later for realizing the present invention are recorded in the external memory 211 and executed by the CPU 201 by being loaded into the RAM 203 as necessary. Furthermore, definition files and various information tables used when executing the program are also stored in the external memory 211, and a detailed description thereof will be described later.

  Next, the hardware configuration of the multifunction machine 300 shown in FIG. 1 will be described with reference to FIG.

  FIG. 3 is a block diagram illustrating an example of a hardware configuration of the multifunction peripheral 300 illustrated in FIG.

  As shown in FIG. 3, the controller unit 300 includes a CPU 301, a RAM 306, a ROM 302, an external storage device (hard disk drive (HDD)) 307, a network interface (Network I / F) 303, a modem (Modem) 304, an operation unit interface ( Operation unit I / F) 305, external interface (external I / F) 309, image bus interface (IMAGE BUS I / F) 308, raster image processor (RIP) 310, printer interface (printer I / F) 311, scanner interface (Scanner I / F) 312, an image processing unit 313, and the like.

  The CPU 301 is a processor that controls the entire system. A RAM 306 is a system work memory for the CPU 301 to operate, and is a program memory for recording a program and an image memory for temporarily storing image data. The ROM 302 stores a system boot program and various control programs.

The external storage device (hard disk drive HDD) 307 stores various programs for controlling the system, image data, and the like.

  An operation unit interface (operation unit I / F) 305 is an interface unit with an operation unit (UI) 318, and outputs image data to be displayed on the operation unit 318 to the operation unit 318.

The operation unit I / F 305 serves to transmit information (for example, user information) input by the system user from the operation unit 318 to the CPU 301. Note that the operation unit 318 includes a display unit having a touch panel, and various instructions can be given by a user pressing (touching with a finger or the like) a button displayed on the display unit.

  A network interface (Network I / F) 303 is connected to a network (LAN) and inputs / outputs data.

  A modem (MODEM) 304 is connected to a public line and inputs / outputs data such as FAX transmission / reception.

  An external interface (external I / F) 309 is an interface unit that accepts external inputs such as USB, IEEE 1394, printer port, RS-232C, etc. In this embodiment, a card reader for reading an IC card required for authentication is used. 319 is connected.

  The CPU 301 can control reading of information from the IC card by the card reader 319 via the external I / F 309, and can acquire information read from the IC card. Note that the storage medium is not limited to an IC card, and any storage medium that can identify a user may be used. In this case, identification information for identifying the user is stored in the storage medium. This identification information may be a production number of the storage medium or a user code given by the user within the company. The above devices are arranged on the system bus.

  On the other hand, an image bus interface (IMAGE BUS I / F) 308 is a bus bridge that connects a system bus 316 and an image bus 317 that transfers image data at high speed, and converts a data structure.

  The image bus 317 is configured by a PCI bus or IEEE1394. The following devices are arranged on the image bus 317.

  A raster image processor (RIP) 310 develops vector data such as a PDL code into a bitmap image, for example.

  A printer interface (printer I / F) 311 connects the printer 314 and the controller unit 300, and performs synchronous / asynchronous conversion of image data.

  A scanner interface (scanner I / F) 312 connects the scanner 315 and the controller unit 300 to perform synchronous / asynchronous conversion of image data.

  The image processing unit 313 corrects, processes, and edits input image data, and performs printer correction, resolution conversion, and the like on print output image data. In addition to this, the image processing unit 313 performs image data rotation and compression / decompression processing such as JPEG for multi-valued image data and JBIG, MMR, MH for binary image data.

  A scanner 315 connected to the scanner I / F 312 illuminates an image on paper as an original and scans it with a CCD line sensor, thereby converting it into an electrical signal as raster image data. The original paper is set on the tray of the original feeder, and when the apparatus user gives a reading start instruction from the operation unit 318, the CPU 301 gives an instruction to the scanner, and the feeder feeds the original paper one by one to read the original image. I do.

  A printer 314 connected to the printer I / F 311 is a part that converts raster image data into an image on paper. The method is an electrophotographic method using a photosensitive drum or a photosensitive belt, and ink is supplied from a micro nozzle array. There is an ink jet method for ejecting and printing an image directly on a sheet, but any method may be used. The activation of the printing operation is started by an instruction from the CPU 301. The printer unit 314 has a plurality of paper feed stages so that different paper sizes or different paper orientations can be selected, and has a paper cassette corresponding thereto.

  The operation unit 318 connected to the operation unit I / F 305 includes a liquid crystal display (LCD) display unit. A touch panel sheet is pasted on the LCD to display a system operation screen, and when the displayed key is pressed, the position information is transmitted to the CPU 301 via the operation unit I / F 305. The operation unit 318 includes, for example, a start key, a stop key, an ID key, a reset key, and the like as various operation keys.

  Here, the start key of the operation unit 318 is used when starting a document image reading operation. There are green and red LEDs in the center of the start key, and indicates whether or not the start key can be used depending on the color. In addition, the stop key of the operation unit 318 functions to stop the operation being performed. The ID key of the operation unit 318 is used when inputting the user ID of the user. The reset key is used when initializing settings from the operation unit 318.

  A card reader 319 connected to the external I / F 309 reads information stored in an IC card (for example, Sony FeliCa (registered trademark)) under the control of the CPU 301, and reads the read information into the external I / F 309. The CPU 301 is notified via F309.

  With the configuration as described above, the multifunction peripheral 300 can transmit the image data read from the scanner 315 to the LAN 400 and print out the print data received from the LAN 400 by the printer unit 314.

  Further, the image data read from the scanner 315 can be faxed to the public line by the modem 304, and the image data received by fax from the public line can be output by the printer unit 314.

  Next, functions of the client PC 100, the authentication server 200, and the MFP 300 according to the present invention will be described with reference to FIG. FIG. 4 is a functional block diagram illustrating an example of functions of the client PC 100, the authentication server 200, and the multifunction peripheral 300.

<Client PC 100>
The Web browser 150 on the client PC 100 accesses the Web service unit 355 in the MFP 300 and rewrites the cache data management setting file (FIG. 13) to change settings such as the cache data expiration date and backup processing time. It has the function to do.

<Authentication server 200>
As shown in FIG. 4, the authentication server 200 includes a data communication unit 250 and an authentication unit 251 as functional configurations.

  The data communication unit 250 receives an authentication request from the authentication server communication unit 351 of the multi-function apparatus 300 and transmits an authentication result to the authentication server communication unit 351.

  When the authentication unit 251 on the authentication server 200 receives an authentication request from the authentication server communication unit 351 of the MFP 300, the authentication unit 251 accesses the authentication table (FIG. 10) managed on the authentication server 200, and the card requested for authentication. The user name associated with the number is searched, and the authentication result is returned to the authentication server communication unit 351 on the multi-function device 300 that has transmitted the authentication request.

<Multifunction device 300>
As shown in FIG. 4, the multifunction machine 300 includes a card reader control unit 350, an authentication server communication unit 351, an authentication processing unit 352, a cache processing unit 353, a backup unit 354, and a web service unit 355 as functional configurations.

  The card reader control unit 350 on the multifunction machine 300 acquires card information (manufacturing number and the like) of the card held over the card reader 319.

  The authentication server communication unit 351 transmits an authentication request to the authentication unit 251 of the authentication server 200 using the card number acquired by the card reader control unit 350, and is issued from the authentication result returned from the authentication server 200 or from the authentication server 200. A function of receiving the access key.

  When the cache processing unit 353 holds a cache data table (FIG. 11) and can communicate with the authentication server 200, the cache processing unit 353 caches the user information returned from the authentication server 200 in the cache data table. If communication with the authentication server 200 is not possible, the cache data is used, and the user name associated with the card number held over the card reader 319 is searched for authentication. Further, when a card of a user (hereinafter referred to as an unregistered user) that is not in the cache data is held over, a list (FIG. 15) of cached users (hereinafter referred to as authorized users) is displayed by communicating with the authentication server 200. Then, the information of the unregistered user is cached by holding the selected authorized user's card over the card reader.

  Since the cache data table is erased when the multifunction device 300 is activated, the cache processing unit 353 acquires the backup file shown in FIG. 12 from the storage area when the multifunction device 300 is activated, and the acquired backup file. Register user information in the cache data table. At this time, the registration flag is set to “1”. The backup file creation process will be described later with reference to the flowchart shown in FIG.

  Incidentally, as shown in FIG. 11, the cache data table holds card information 1101, user name 1102, authentication date 1103, registration flag 1104, and approval card information 1105. In the card information 1101, card information of a card held over the card reader 319 is registered. Further, when the user name 1102 can communicate with the authentication server 200, the user name acquired from the authentication server 200 is registered. When the user name 1102 cannot be communicated and an unregistered user is cached, the user name registration screen (FIG. 17) is displayed. ) Is cached. The authentication date and time 1103 is overwritten with a new authentication date and time each time the user logs in. In the registration flag 1104, “1” is cached when the authentication result returned from the authentication server 200 is successful, communication with the authentication server 200 is not possible, and an unregistered user holds the card of the authorized user. In this case, “0” is cached. In the authentication card information 1105, card information held by an authorized user when an unregistered user is registered (when an unregistered user is logged in) is cached.

  The backup processing unit 354 registers user information whose cache data table registration flag 1104 is “1” and whose expiration date has not passed in a backup file (FIG. 12) at predetermined time intervals.

  The Web service unit 355 provides a mechanism that returns a corresponding Web page in response to a request from the WEB browser 150 of the client PC 100.

  Next, user authentication processing will be described with reference to the flowchart of FIG.

  Note that step S501, step S503 to step S505, and step S511 of this flowchart are processes performed by the CPU 301 of the multifunction machine 300 reading and executing a predetermined control program.

  Step S502 is a process executed by the card reader 319.

  Further, the processes in steps S506 to S510 are processes performed by the CPU 201 of the authentication server 200 reading and executing a predetermined control program.

  In step S <b> 501, the authentication processing unit 352 of the MFP 300 displays an authentication screen (FIG. 14) on the operation unit 318 and prompts the user to hold the IC card over the card reader 319.

  In step S <b> 502, the card reader 319 acquires card information such as a card manufacturing number from the IC card held by the user, and transmits the acquired card information to the authentication processing unit 352 of the multifunction device 300.

  In step S503, the authentication processing unit 352 of the MFP 300 receives the card information acquired by the card reader 319 in step S502 from the card reader 319.

  In step S504, the authentication server communication unit 351 of the MFP 300 transmits the card information acquired by the authentication processing unit 352 in step S503 to the data communication unit 250 of the authentication server 200 as an authentication request.

  In step S <b> 505, the authentication server communication unit 351 of the MFP 300 determines whether communication with the authentication server 200 has been successful.

  If communication with the authentication server 200 fails (step S505: YES), the process proceeds to the process shown in the flowchart of FIG.

  If communication with the authentication server 200 is successful (step S505: NO), the process proceeds to step S506.

  In step S506, the data communication unit 250 of the authentication server 200 receives the authentication request including the card information transmitted from the authentication server communication unit 351 of the multi-function device 300 in step S505.

  In step S507, the authentication unit 251 of the authentication server 200 determines the authentication result of the card information received in step S505. Specifically, it is determined whether or not the received card information exists in the authentication table shown in FIG. 10, and if it exists, the process proceeds to step S508 as successful authentication (step S507: YES).

  On the other hand, if the received card information does not exist in the authentication table (FIG. 10) (step S507: NO), the process proceeds to step S510 as an authentication failure.

  In step S <b> 510, the data communication unit 250 of the authentication server 200 transmits a result indicating that the authentication has failed to the authentication processing unit 352 of the MFP 300.

  In step S508, the authentication unit 251 of the authentication server 200 acquires user information (card information 1001, user name 1002, password 1003, date and time 1004) of the user who has been successfully authenticated from the authentication table (FIG. 10).

  In step S509, the data communication unit 250 of the authentication server 200 transmits to the authentication processing unit 352 of the multifunction device 300 the result that the authentication has been successful and the user information acquired from the authentication table (FIG. 10).

  In step S511, the authentication processing unit 352 of the MFP 300 receives the authentication result transmitted from the data communication unit 250 of the authentication server 200 in step S509 or step S510.

  When the authentication result is received, the process proceeds to the process shown in the flowchart of FIG.

  Next, the update processing of the cache data table (FIG. 11) stored in the multifunction machine 300 will be described with reference to FIG.

  Note that the processing shown in the flowchart of FIG. 6 is processing that is performed when the CPU 301 of the multifunction peripheral 300 reads and executes a predetermined control program.

  In step S601, the authentication processing unit 352 of the MFP 300 determines whether the authentication result transmitted from the data communication unit 250 of the authentication server 200 is a result of successful authentication or a result of failed authentication. to decide.

  If the result indicates that the authentication has failed (step S601: NO), the process proceeds to step S602.

  If the result is that the authentication is successful (step S601: YES), the process proceeds to step S605.

  In step S602, the cache processing unit 353 of the multi-function peripheral 300 determines whether the card information acquired in step S503 in FIG. 5 exists in the cache data table (FIG. 11).

  If it is determined that it exists (step S602: YES), the process proceeds to step S603, and if it is determined that it does not exist (step S602: NO), the process proceeds to step S604.

  In step S603, the cache processing unit 353 of the MFP 300 deletes the user information remaining in the cache data table (FIG. 11).

  By the deletion process in step S603, it is possible to avoid a state in which user information for which no user information exists in the authentication server 200 exists in the cache data table (FIG. 11).

  In step S604, an error screen (not shown) notifying that authentication has failed is displayed on the operation unit 318.

  In step S605, the cache processing unit 353 of the MFP 300 acquires the date and time when authentication was performed.

  In step S606, the cache processing unit 353 of the multi-function peripheral 300 checks whether or not the card information acquired in step S503 is registered in the cache data table (FIG. 11).

  If it is determined that it is registered (step S606: YES), the process proceeds to step S607. If it is determined that it is not registered (step S606: NO), the process proceeds to step S608.

  In step S607, the cache processing unit 353 of the MFP 300 receives the user information of the user (the user corresponding to the card information acquired in step S503) in the cache data table (FIG. 11) from the authentication server 200 in step S511. Overwritten by the user information. The specific data to be overwritten is the user name 1102 received in step S511, the authentication date and time 1103 acquired in step S605, “1” is set in the registration flag 1104, and “ “NULL” is set.

  When the cache data table (FIG. 11) is updated in step S607, the process proceeds to step S611.

  In step S608, the cache processing unit 353 of the MFP 300 determines whether the number of data in the cache data table (FIG. 11) has reached the upper limit value. If the upper limit has been reached (step S608: YES), the process proceeds to step S609. If the upper limit has not been reached (step S608: NO), the process proceeds to step S610.

  Whether or not the number of cache data has reached the upper limit value is determined according to the cache upper limit number 1304 of the cache data management setting file (FIG. 13).

  In step S609, the cache processing unit 353 of the MFP 300 deletes the user information with the oldest authentication date 1103 from the user information registered in the cache data table.

  In step S610, the cache processing unit 353 of the MFP 300 sets the card information 1101 acquired in step S503, the user name 1102 received in step S511, and the authentication date 1103 acquired in step S605 in the cache data table (FIG. 11). The registration flag is set to “1”. “NULL” is set in the approval card information 1105.

  When the cache data table (FIG. 11) is updated in step S610, the process proceeds to step S611.

  In step S <b> 611, the authentication processing unit 352 of the MFP 300 accepts login with the user information received in step S <b> 511.

  Next, the processing when it is determined in step S505 that communication is an error will be described with reference to FIG.

  Note that the processing shown in the flowchart of FIG. 7 is processing that is performed when the CPU 301 of the multifunction peripheral 300 reads and executes a predetermined control program.

  In step S <b> 701, the cache processing unit 353 of the MFP 300 acquires a cache data table (FIG. 11) stored in a storage area such as the HDD 307.

  In step S702, the cache processing unit 353 of the MFP 300 determines whether the card information acquired in step S503 is registered in the cache data table acquired in step S701.

  If it is determined that it is registered (step S702: YES), the process proceeds to step S703, and if it is determined that it is not registered (step S702: NO). The process proceeds to step S708.

  In step S703, the cache processing unit 353 of the MFP 300 confirms whether or not the user information having the card information that matches the card information acquired in step S503 is within the expiration date. Specifically, the value set in the flag “0” user expiration date 1301 or the flag “1” user expiration date 1302 in the cache data management setting file shown in FIG. Use to judge.

  For a user whose user information registration flag is “0”, the expiration date is the date calculated by adding the number of days set in the flag 0 user expiration date 1301 to the authentication date 1103 of the user information.

  For a user whose user information registration flag is “1”, the date calculated by adding the number of days set in the flag 1 user expiration date 1302 to the authentication date 1103 of the user information becomes the expiration date.

  When it is determined that the expiration date thus determined has not passed (step S703: YES), the process proceeds to step S706, and when it is determined that the expiration date has passed (step S703: NO). ) Shifts the processing to step S704.

  In step S704, the cache processing unit 353 of the MFP 300 deletes the user information determined to have expired in step S703 from the cache data table.

  In step S705, the MFP 300 displays an error screen (not shown) indicating that the authentication has failed, and shifts the processing to the processing shown in the flowchart of FIG.

  In step S706, the cache processing unit 353 of the MFP 300 acquires the current date and time. In step S707, the cache processing unit 353 of the MFP 300 overwrites the user information of the user corresponding to the card information acquired in step S503 with the current date and time acquired in step S706.

  Then, the process proceeds to step S611 in FIG. 6, and login is performed using the user information overwritten in step S707.

  In step S <b> 708, the cache processing unit 353 of the MFP 300 acquires user information within the expiration date with the registration flag “1” in the data in the cache data table (FIG. 11). The determination as to whether it is within the expiration date is the same as the determination in step S703.

  That is, user information of a user who can be an authorized user is acquired from the cache data table. The user whose registration flag is “1” is a user who has succeeded in the authentication process using the authentication table of the authentication server 200.

  In step S709, the cache processing unit 353 of the MFP 300 displays a list of user information acquired in step S708 on the operation unit 318 (FIG. 15 as an example of a list display screen).

  In step S <b> 710, the cache processing unit 353 of the multifunction peripheral 300 accepts the approval user selection from the approval user information list displayed in step S <b> 709.

  In step S711, the cache approval unit 353 of the MFP 300 determines whether an approved user is selected from the users and the authentication button 1502 on the list screen is pressed.

  If it is determined that the authentication button 1502 has been pressed (step S711: YES), the process proceeds to step S801 in the flowchart of FIG.

  If the authentication button has not been pressed (step S711: NO), the process proceeds to step S711, and it is determined whether the return button 1501 has been pressed. If the return button 1501 is pressed (step S712: YES), the process proceeds to step S501 in FIG. 5, and the user authentication screen (FIG. 14) is displayed again. If neither the authentication button 1502 nor the return button 1501 is pressed (step S712: NO), the standby state is continuously maintained. If no operation is performed by the user for a certain period of time, the process may be shifted to step S501 in FIG.

  Next, a process for approving login of a user whose user information is not registered in the cache data table (unregistered user) by holding the card of the authorized user over the card reader 319 will be described using the flowchart shown in FIG. Do

  Note that the processes shown in step S801, step S802, and step S804 to step S812 in the flowchart of FIG. 8 are processes that are performed when the CPU 301 of the multifunction peripheral 300 reads and executes a predetermined control program.

  Step S803 is processing executed by the card reader 319.

  In step S801, the cache processing unit 353 of the MFP 300 displays an approved user authentication dialog (FIG. 16) for prompting authentication of the approved user selected by the user in step S710 on the operation unit 318.

  In step S802, the cache processing unit 353 of the MFP 300 determines whether the user has pressed the return button 1601 of the approved user authentication dialog. If the return button 1601 is pressed by the user, the process proceeds to step S709 in FIG. 7, and the approved user list screen (FIG. 15) is displayed again to accept the selection of the approved user.

  If the return button 1601 is not pressed (step S802: NO), the process proceeds to step S803.

  In step S803, the card reader 319 detects the IC card of the approved user selected in step S710, and acquires card information of the detected IC card.

  In step S804, the cache processing unit 353 of the MFP 300 receives the card information acquired by the card reader 319 in step S803.

  In step S805, the cache processing unit 353 of the MFP 300 matches the card information of the authorized user selected in step S710 and the card information received from the card reader 319 in step S804, which is stored in the cache data table. Confirm whether to do.

  If they match (step S804: YES), the process proceeds to step S807. If they do not match (step S805: NO), the process proceeds to step S806.

  In step S806, the cache processing unit 353 of the MFP 300 displays an authentication error screen (not shown) indicating that the authentication has failed. Then, the process proceeds to step S709, the approval user list screen is displayed again, and the selection of the approval user is accepted.

  In step S807, the cache processing unit 353 of the MFP 300 displays a user name registration screen (FIG. 17) that accepts user name registration.

  In step S <b> 808, the cache processing unit 353 of the multifunction peripheral 300 receives an input of a user name from the user. Note that the processing in step S808 is processing for setting user information (user name) of a user who is authorized to log in to the cache data table.

  In step S809, the cache processing unit 353 of the MFP 300 determines whether or not the user has pressed the OK button on the user name registration screen.

  If it is determined that the button has been pressed (step S809: YES), the process proceeds to step S811, and if it has not been pressed (step S809: NO), the process proceeds to step S810.

  In step S810, it is determined whether or not a cancel button has been pressed by the user. If the cancel button has been pressed, the process proceeds to step S501.

In step S811, it is determined whether the user name accepted in step S808 is set in any cache data registered in the cache data table. If the CPU 201 determines NO in this determination process, the process proceeds to step S812, and the cache processing unit 353 of the multifunction peripheral 300 acquires the current date and time (authentication date and time).

  In step S813, the cache processing unit 353 of the MFP 300 sets the card information acquired in step S503, the user name received in step S808, and the current date and time acquired in step S811 in the cache data table (FIG. 11) and registers them. Set the flag to “0”. Then, the card information of the approval user acquired in step S803 is set in the approval card information 1105.

  Then, the cache processing unit 353 of the MFP 300 shifts the process to step S611 and performs login using the information set in step S813.

  In the present invention, when it is determined that the user name that has received an input from the user is not already set as the user name of any cache data included in the cache data table, the information of the IC card that could not be authenticated Cache data associated with the input user name is newly registered in the cache data table. This makes it possible to prevent registration of a user name associated with IC card information that can be authenticated using cache data in association with information of an IC card that could not be authenticated. Spoofing can be suitably prevented.

  In the present embodiment, an authorized user's card is detected, and an input of user information of a user who receives login approval is received. However, as a processing order, the user information of the user who receives login approval is received. The configuration may be such that the card of the authorized user is detected after receiving the input.

  Next, the creation process of the backup file (FIG. 12) will be described with reference to FIG. Note that the processing shown in the flowchart of FIG. 9 is processing that is performed by the CPU 301 reading and executing a predetermined control program by the function of the backup unit 354 in the multifunction peripheral 300.

  In step S901, the backup unit 354 of the MFP 300 determines whether the backup processing time has come. If it is determined that the backup processing time has arrived (step S901: YES), the process proceeds to step S902. If it is determined that the backup processing time has not arrived (step S901: NO), the processing of this flowchart ends.

  The backup processing time follows the backup processing time 1303 of the cache data management setting file stored in advance.

  In step S902, the backup unit 354 of the MFP 300 acquires a cache data table (FIG. 11).

  In step S903, the backup unit 354 of the MFP 300 reads one piece of user information set in the cache data table.

  In step S904, the backup unit 354 of the MFP 300 determines whether the user information has been read in step S903.

  If it can be read (step S904: YES), the process proceeds to step S905. If it cannot be read (step S904: NO), the process of this flowchart ends.

  In step S905, the backup unit 354 of the MFP 300 determines whether the registration flag 1104 of the user information read in step S903 is “1”. If the registration flag 1104 is “1” (step S905: YES), the process proceeds to step S906. If the registration flag 1104 is not “1” (step S905: NO), the process of this flowchart is performed. finish.

  The user whose registration flag is “1” is a user who has communicated with the authentication server 200 and succeeded in the authentication process using the authentication table (FIG. 10).

  In step S906, the backup unit 354 of the MFP 300 determines whether the expiration date of the user information is within the time limit. Note that a specific determination method is the same as the processing in step S703.

  If it is determined that it is within the expiration date (step S906: YES), the process proceeds to step S907. If it is determined that the expiration date has passed (NO at step S906), the processing of this flowchart is performed. finish.

  In step S907, the backup unit 354 of the MFP 300 stores the user information (card information, user name, authentication date) within the expiration date in the backup file (FIG. 12), with the registration flag 1104 being “1”.

  Note that the processing from step S903 to step S907 in this flowchart is repeated until the reading processing is executed for all user information stored in the cache data table.

  By backing up user information of a user whose registration flag is “1” (a user who can be an authorized user) by the processing of this flowchart, the backup file can be used as data in the cache data table when the MFP 300 is activated. Thus, even when the MFP 300 whose cache data table has been deleted is activated, the approval user can approve login.

  In other words, even when the cache data table is erased, such as when the MFP 300 is activated, even if the cache data is not held in the MFP by using the backup file, the approval user can approve the login. Be able to get.

  Through the above processing, even a user whose cache data is not held in the multifunction device can log in to the multifunction device by obtaining approval from the user whose cache data is held in the multifunction device.

  It should be noted that the configuration and contents of the various data described above are not limited to this, and it goes without saying that the various data and configurations are configured according to the application and purpose.

  The present invention can adopt an embodiment as, for example, a system, an apparatus, a method, a program, or a recording medium. Specifically, the present invention may be applied to a system including a plurality of devices. Moreover, you may apply to the apparatus which consists of one apparatus.

  Moreover, the program in this invention is a program which can perform the processing method of FIGS. 5-9 by a computer, and the program which can execute the processing method of FIGS. 5-9 in a computer is stored in the storage medium of this invention. It is remembered. The program in the present invention may be a program for each processing method of each apparatus in FIGS.

  As described above, a recording medium that records a program that implements the functions of the above-described embodiments is supplied to a system or apparatus, and a computer (or CPU or MPU) of the system or apparatus stores the program stored in the recording medium. It goes without saying that the object of the present invention can also be achieved by reading and executing.

  In this case, the program itself read from the recording medium realizes the novel function of the present invention, and the recording medium recording the program constitutes the present invention.

  As a recording medium for supplying the program, for example, a flexible disk, hard disk, optical disk, magneto-optical disk, CD-ROM, CD-R, DVD-ROM, magnetic tape, nonvolatile memory card, ROM, EEPROM, silicon A disk or the like can be used.

  Further, by executing the program read by the computer, not only the functions of the above-described embodiments are realized, but also an OS (operating system) operating on the computer based on an instruction of the program is actually It goes without saying that a case where the function of the above-described embodiment is realized by performing part or all of the processing and the processing is included.

  Furthermore, after the program read from the recording medium is written to the memory provided in the function expansion board inserted into the computer or the function expansion unit connected to the computer, the function expansion board is based on the instructions of the program code. It goes without saying that the case where the CPU or the like provided in the function expansion unit performs part or all of the actual processing and the functions of the above-described embodiments are realized by the processing.

  The present invention may be applied to a system constituted by a plurality of devices or an apparatus constituted by a single device. Needless to say, the present invention can be applied to a case where the present invention is achieved by supplying a program to a system or apparatus. In this case, by reading a recording medium storing a program for achieving the present invention into the system or apparatus, the system or apparatus can enjoy the effects of the present invention.

  Furthermore, by downloading and reading a program for achieving the present invention from a server, database, etc. on a network using a communication program, the system or apparatus can enjoy the effects of the present invention. In addition, all the structures which combined each embodiment mentioned above and its modification are also included in this invention.

100 client PC
200 Authentication Server 300 Multifunction Device 319 Card Reader 400 LAN

Claims (9)

An image forming apparatus that permits use by a user authenticated by an authentication process,
First acquisition means for acquiring card identification information used for user authentication;
An authentication request means for making an authentication request for a user corresponding to the card identification information acquired by the first acquisition means to the authentication server;
Storage means for storing information including user identification information of a user authenticated by an authentication process performed by the authentication server in response to the authentication request and the card identification information in a storage device as cache information;
First determination means for determining whether cache information including the card identification information acquired by the first acquisition means is stored in the storage device when the result of authentication by the authentication server cannot be obtained;
User identification information input according to a user operation after it is determined by the first determination means that the cache information including the card identification information acquired by the first acquisition means is not stored in the storage device Second acquisition means for acquiring
Second determination means for determining whether cache information including the user identification information acquired by the second acquisition means is stored in the storage device;
If it is determined by the second determination means that the cache information including the user identification information acquired by the second acquisition means is not stored in the storage device, the user corresponding to the card identification information Add means for additionally registering in the storage device cache information including the card identification information acquired by the first acquisition means and the user identification information acquired by the second acquisition means in order to enable the use of the image forming apparatus. Prepared,
When it is determined that the cache information including the user identification information acquired by the second acquisition unit is stored in the storage device, the adding unit acquires the card identification information acquired by the first acquisition unit. The image forming apparatus is characterized in that the cache information including the user identification information acquired by the second acquisition unit is not additionally registered in the storage device.   After the second determining unit determines that the cache information including the user identification information acquired by the second acquiring unit is not stored in the storage device, the cache is newly added to the storage device by the adding unit. The image forming apparatus according to claim 1, further comprising a use permission unit that permits use of the image forming apparatus by a user indicated by registered cache information. After the first determination means determines that the card identification information is not included in the storage device, an approval user who can become an approval user who approves the use of the image forming apparatus is obtained using the cache information. Further comprising an authorized user authentication means for authenticating,
The use permission unit permits the user to use the image forming apparatus indicated by the cache information newly registered in the storage device by the adding unit after the authentication process by the approved user authentication unit is successful. The image forming apparatus according to claim 2. An approval to approve use of the image forming apparatus when the first determination unit determines that the cache information including the card identification information acquired by the first acquisition unit is not stored in the storage device Display means for displaying user cache information that can be a user on the display unit;
Selection accepting means for accepting selection of cache information of a user as an approved user among the cache information displayed by the display means;
A third obtaining unit for obtaining the card identification information of the authorized user accepted by the selection accepting unit;
The approved user authentication unit performs an authentication process of the approved user depending on whether or not the card identification information of the approved user acquired by the third acquiring unit is included in the cache information received and selected by the selection receiving unit. The image forming apparatus according to claim 3, wherein the image forming apparatus is performed. The cache information includes identification information indicating whether the cache information is stored by the storage unit or is additionally registered by the addition unit,
The display means displays, on the display unit, cache information including identification information indicating that it is stored by the storage means among cache information stored in the storage device as cache information of a user who can be the authorized user. The image forming apparatus according to claim 4. When it is determined by the first determination means that the cache information including the card identification information is stored in the storage device, the use permission means is a user indicated by the cache information including the card identification information. The image forming apparatus according to claim 2, wherein use of the image forming apparatus is permitted. And a deletion unit that deletes cache information including the card identification information stored in the storage device after receiving a result indicating that the user authentication corresponding to the card identification information has failed from the authentication server. The image forming apparatus according to claim 1, wherein the image forming apparatus is an image forming apparatus. A method of controlling an image forming apparatus that permits use by a user authenticated by an authentication process,
The image forming apparatus includes:
A first acquisition step of acquiring card identification information used for user authentication;
An authentication requesting step for making an authentication request for a user corresponding to the card identification information acquired in the first acquiring step to the authentication server;
A storage step of storing information including user identification information of a user authenticated by an authentication process performed by the authentication server in response to the authentication request, and the card identification information in a storage device as cache information;
A first determination step of determining whether or not cache information including the card identification information acquired in the first acquisition step is stored in the storage device when the result of authentication by the authentication server cannot be obtained;
User identification information input in accordance with a user operation after it is determined in the first determination step that the cache information including the card identification information acquired in the first acquisition step is not stored in the storage device A second acquisition step of acquiring
A second determination step of determining whether cache information including the user identification information acquired by the second acquisition step is stored in the storage device;
When it is determined by the second determination step that the cache information including the user identification information acquired by the second acquisition step is not stored in the storage device, the user corresponding to the card identification information An additional step of additionally registering in the storage device cache information including the card identification information acquired in the first acquisition step and the user identification information acquired in the second acquisition step in order to enable the use of the image forming apparatus; Characterized by performing,
If it is determined that the cache information including the user identification information acquired in the second acquisition step is stored in the storage device, the adding step includes the card identification information acquired in the first acquisition step. And a cache information including the user identification information acquired in the second acquisition step is not additionally registered in the storage device. A computer program executable in an image forming apparatus that permits use by a user who has been authenticated by an authentication process,
The image forming apparatus;
First acquisition means for acquiring card identification information used for user authentication;
An authentication request means for making an authentication request for a user corresponding to the card identification information acquired by the first acquisition means to the authentication server;
Storage means for storing information including user identification information of a user authenticated by an authentication process performed by the authentication server in response to the authentication request and the card identification information in a storage device as cache information;
First determination means for determining whether cache information including the card identification information acquired by the first acquisition means is stored in the storage device when the result of authentication by the authentication server cannot be obtained;
User identification information input according to a user operation after it is determined by the first determination means that the cache information including the card identification information acquired by the first acquisition means is not stored in the storage device Second acquisition means for acquiring
Second determination means for determining whether cache information including the user identification information acquired by the second acquisition means is stored in the storage device;
If it is determined by the second determination means that the cache information including the user identification information acquired by the second acquisition means is not stored in the storage device, the user corresponding to the card identification information As an additional means for additionally registering cache information including the card identification information acquired by the first acquisition means and the user identification information acquired by the second acquisition means in the storage device so that the image forming apparatus can be used. It is characterized by functioning,
When it is determined that cache information including the user identification information acquired by the second acquisition unit is stored in the storage device, the adding unit determines the card identification information acquired by the first acquisition unit. And a computer program that causes the cache information including the user identification information acquired by the second acquisition means to function as a means not to be additionally registered in the storage device.

Images